RE: Issue configuring LDAP

Devine, Harry (FAA) Wed, 20 May 2020 13:30:20 -0700

Here’s the LDAP config for all 3:

Server 1 (Works: 0.9.13-incubating):


#LDAP properties
ldap-hostname:ldapserver
ldap-port:389
ldap-encryption-method:none
ldap-dereference-aliases:never
ldap-search-bind-dn:cn="Directory Manager"
ldap-search-bind-password:password
ldap-user-base-dn:cn=users,cn=accounts,dc=example,dc=com
ldap-username-attribute:uid
ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com

Server 2 (Works: 0.9.13-incubating):

#LDAP properties
ldap-hostname:ldapserver
ldap-port:389
ldap-encryption-method:none
ldap-dereference-aliases:never
ldap-search-bind-dn:cn="Directory Manager"
ldap-search-bind-password:password
ldap-user-base-dn:cn=users,cn=accounts,dc=example,dc=com
ldap-username-attribute:uid
ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com

Server 3 (Does NOT work: 1.0.0):

#LDAP properties
ldap-hostname:ldapserver
ldap-port:389
ldap-encryption-method:none
ldap-dereference-aliases:never
ldap-search-bind-dn:cn="Directory Manager"
ldap-search-bind-password:password
ldap-user-base-dn:cn=users,cn=accounts,dc=example,dc=com
ldap-username-attribute:uid
ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com

Thanks,
Harry

From: Mike Jumper <mjum...@apache.org>
Sent: Wednesday, May 20, 2020 4:18 PM
To: user@guacamole.apache.org
Subject: Re: Issue configuring LDAP

On Wed, May 20, 2020 at 1:06 PM Devine, Harry (FAA) 
<harry.dev...@faa.gov.invalid<mailto:harry.dev...@faa.gov.invalid>> wrote:
We have 3 servers all configured this way (I’ve redacted sensitive 
information); 2 work and 1 doesn’t:

#LDAP properties
ldap-hostname:ldapserver
ldap-port:389
ldap-encryption-method:none
ldap-dereference-aliases:never
ldap-search-bind-dn:cn="Directory Manager"
ldap-search-bind-password:password
ldap-user-base-dn:cn=users,cn=accounts,dc=example,dc=com
ldap-username-attribute:uid
ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com

Can you pull the configuration from the 2 working servers (if the above isn't 
already this)? I am surprised that the above work, because:

1) The search bind DN doesn't look fully qualified (it may well be correct for 
your LDAP directory, but it does look odd)
2) The search bind DN contains quotes within the value of the "cn" attribute. I 
believe these would be interpreted as literal quotes to be included as part of 
the DN, automatically escaped by Guacamole when it uses the DN to authenticate. 
Unless the username of the bind user is indeed ""Directory Manager"", I would 
expect this to instead be "cn=Directory Manager", or "cn=Directory 
Manager,dc=example,dc=com", or similar.

Thanks,

- Mike

RE: Issue configuring LDAP

Reply via email to